USM Anywhere™

Linux Log Collection with NXLog

NXLog is a universal log collection and forwarding agent for various platforms, including Linux. With the NXLog Enterprise Edition, you can scan files and directories to report detected change, known as File Integrity Monitoring (FIM). USM Anywhere provides an AlienApp for Linux NXLog and the configuration file to collect FIM data.

According to the vendor documentation, FIM is only available in the NXLog Enterprise Edition. In addition, NXLog must have permission to read the files you want to monitor. You can run NXLog as root, or make sure the nxlog user or group has permission to read the files.

To download the configuration file from USM Anywhere

  1. Log in to USM Anywhere and go to Settings > System.
  2. In the left navigation panel, click NXLog Configuration to open the page.
  3. Select Linux Systems.

    NXLog Configuration main screen

  4. Click File Integrity Monitoring.
  5. Enter the IP address of your USM Anywhere Sensor.

    Note: USM Anywhere uses UDP port 514 to forward the logs.

  6. Click Create File to generate the new nxlog.conf file and save it to your NXLog installation directory.

    Note: AT&T Cybersecurity recommends you to save a copy of the original nxlog.conf file first.

  7. Restart NXLog.

The AlienApp for Linux NXLog is auto-discovered. No additional configuration is needed. Following is an example of the downloaded file:

#

# Configuration for converting and sending Linux logs

# to AlienVault USM Anywhere.

#

# Version: 0.0.1

# Last modification: 2020-12-02

#

 

define OUTPUT_DESTINATION_ADDRESS_AND_PORT 1.1.1.1:514

 

# Default values:

# Note: These values can change depending on the Linux flavour

 

define INSTALLDIR /opt/nxlog

define LOGDIR %INSTALLDIR%/var/log/nxlog

define MYLOGFILE %LOGDIR%/nxlog.log

LogFile %MYLOGFILE%

 

# Load extension common to all inputs

<Extension _json>

Module xm_json

</Extension>

 

<Extension _syslog>

Module xm_syslog

</Extension>

 

# Set all inputs

<Input rsyslog_in>

Module im_file

File "/var/log/syslog"

Exec parse_syslog();

</Input>

 

<Input secure_in>

Module im_file

File "/var/log/auth.log"

Exec parse_syslog();

</Input>

 

<Input audit_in>

Module im_file

File "/var/log/audit/audit.log"

Exec parse_syslog();

</Input>

 

<Output out>

Module om_udp

Host %OUTPUT_DESTINATION_ADDRESS_AND_PORT%

Exec $EventTime = integer($EventTime) / 1000000;

Exec $EventReceivedTime = integer($EventReceivedTime)/1000000;

Exec $Message = to_json(); to_syslog_bsd();

</Output>

 

# Set common route

<Route USM_Out>

Path rsyslog_in, secure_in, audit_in => out

</Route>

 

#######################################################################

#### FIM-LINUX-NXLOG-EE #####

#### Uncomment the following lines for FIM LINUX NXLOG EE #####

#### log forwarding #####

#######################################################################

 

## This config includes just the paths specified in nxlog official

## documentation, but more paths can be added if needed

 

<Input fim_linux>

Module im_fim

File "/bin/*"

File "/etc/*"

File "/lib/*"

File "/opt/nxlog/bin/*"

File "/opt/nxlog/lib/*"

File "/sbin/*"

File "/usr/bin/*"

File "/usr/sbin/*"

Exclude "/etc/hosts.deny"

Exclude "/etc/mtab"

Recursive TRUE

ScanInterval 1800

</Input>

 

<Output fim_out_linux>

Module om_udp

Host %OUTPUT_DESTINATION_ADDRESS_AND_PORT%

Exec $SourceName = "FIM-LINUX-NXLOG-EE";

Exec $Message = to_json(); to_syslog_bsd();

</Output>

 

<Route fim_route_linux>

Path fim_linux => fim_out_linux

</Route>

 

#######################################################################

#### FIM-LINUX-NXLOG-EE #####

#######################################################################